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OO Abstract 

I— I We consider in this paper the information-theoretic secure key distribution problem over 

H 

HH main and wire-tap noise channels with a public discussion in presence of an active adversary. In 

fl contrast to the solution proposed by ourselves for a similar problem using hashing for privacy 

amplification, in the current paper we use a technique of extractors. 
^ We propose modified key distribution protocols for which we prove explicit estimates of key 

OO rates without the use of estimates with uncertain coefficients in notations 0,n,Q. 

fT^ This leads in the new conclusion that the use of extractors is superior to the use of hash 

~^ functions only with the very large key lengths £ (of order i > 10^ bits). 

^^ We suggest hybrid key distribution protocols consisting from two consecutively executed 

►^ stages. At the fist stage it is generated a short authentication key based on hash function, 

S^ whereas at the second stage it is generated the final key with the use of extractors. We show 

C^ that in fact the use of extraction procedure is effective only at the second stage. We get also 

some constructive estimates of the key rates for such protocols. 

Keywords. Authentication, cryptography, extractors, information-theoretic security, key 
distribution, privacy amplification, wire-tap channel. 



* V. Yakovlev, V. Korzhik and M. Bakaev are with the Department of Information Security of Telecommunication 
Systems, State University of Telecommunication, St. Petersburg, Russia e-mail: viyak@bk.ru, korzhikl@bk.ru. 

^G. Morales-Luna is with the Computer Science Department, CINVESTAV-IPN, Mexico City, Mexico e-mail: 
gmorales@cs.cinvestav.mx. Dr. Morales-Luna acknowledges the partial support of Mexican CONACyT. 



1 Introduction 

Advances in design and implementation of quantum computers [T] as well as design of super- 
fast multiprocessor conventional computers threat some conceptually secure cryptosystems. Hence 
perfect one-time pad ciphers proposed by Shannon [2] are necessary. But the use of perfect ciphers 
requires key lengths proportional to messages [3j. This inconvenience can be solved with the use 
of key distribution over communication channels protected from eavesdropping. There are several 
approaches in order to remove (or at least to control) an eavesdropping on the keys: 

• quantum channels [1], 

• methods based on fluctuation of radio wave channels [6l [3 [8] , 

• Wyner's concept of wire-tap channel, 

• key generation by hashing of random string initially distributed over noisy channels [TOl 

iniiiaiiainiiisiiisiiiTiiiHiiiHiEoiEiiES]. 

In the current paper, we follow the last approach. The most advanced results in this setting, 
under the condition of an active adversary have been obtained by Maurer and Wolf. They proposed 
several key distribution protocols [HI [12l [131 IHl [13 HI [13 [13 [Hi and made a performance 
comparison of asymptotic and non-asymptotic key rates for a given level of key security. 

We considered in |22] some modification of the Maurer and Wolf's MW-protocol consisting in 
using an authentication algorithm over noisy channels, called by ourselves the a-protocol, instead 
of the request-response algorithm presented in [ITj . In the same paper [22] , we proposed also the 
j3-protocol that differs from the a-protocol in absence of the hash function transmission over public 
discrete channel because the hash function can be formed from the string which the users have got 
just after the execution of the initialization phase. Using the /3-protocol entails an increasing of 
the key rate in several cases. We proposed also in [22] the so called a' and (3' -protocols in which 
special initially distributed short keys are used in order to provide authentication procedures over 
public discussion channels (PDC). 

Hybrid protocols comprising pairs of sequentially executed protocols (a, a'), (a,/3'), (/3,a'), 
(/3, j3') were investigated in [22] . The first protocol in each pair is used to generate an authentication 



key, whereas the second one provides a generation of the main secret key for encryption/decryption 
given the authentication key. The relation among the key rates and a comparison of protocol 
performance evaluation were also introduced. 

The main feature of the protocols considered in |22| is their strict constructiveness because the 
parameters determining their efficiency do not contain unknown coefficients typical for 0, 17, 0- 
estimations. 

Our contribution and novel content in the current paper are the following: 

1. We propose some new (modified) key distribution protocols using extractors. We prove ex- 
plicit estimates of key rates without the use of estimates of uncertain coefficients in 0,il.,Q- 
estimations. (In [22] we solved the similar problem using hash functions instead of extractors) . 

In contrast to [17], we consider a scenario where the legal users are able to receive raw bit 
strings over noisy channels and as a consequence they are pairwise distinct. This entails the 
need to send check symbols from user A to user B in order to agree the raw bit strings received 
by legal users. By the same reason, we have changed the authentication algorithm: instead of 
a request-response algorithm [l7], we use a non- interactive one based on the authentication 
code. 

A consideration of the non-asymptotic case leads us in the new conclusion that the use of 
extractors is superior to the use of hash functions only for very large key lengths (£) of the 
order of 10^ bits. 

2. We suggest hybrid key distribution protocols consisting of two consecutively executed stages. 
At the first stage, a short authentication key based on a hash function is generated, whereas 
at the second stage, the final key using extractors is generated. We show that in fact the use 
of an extraction procedure is effective only at the second stage. We get also explicit estimates 
of key rates for such protocols. 

3. We prove also an asymptotic behavior of the key rates for all considered protocols that allows 
to compare the potential efficiency of them with the potential efficiency of protocols considered 
here and in 1221. 



The outline of this paper is the foUowing: Section [2] contains the prehminaries and descriptions 



of the main procedures to be used in key distribution protocols. In Section 2.1 we describe the 
model of key distribution based on noisy wire-tap channels in the presence of an active adversary 
and we introduce the main criteria for key distribution protocol efficiency. We introduce main 
procedures as error correction, authentication and privacy amplification (based both on hashing 
and extraction). In section [3] we describe the Ogxi-protocol, and the new key distribution Pext- 
protocol without transmission of the extractor's seed on the public discussion channel and we prove 
their main features. In section H^ we present a modification of the previous Og^j and /Jg^^-protocols 
under the condition that initially the legal users share short authentication keys. In section [5] we 
describe the so called hybrid protocols as combinations of different pairs of single protocols and we 
estimate their performance evaluation. In section [6] we conclude the paper. 

2 Main notions and procedures involved in the key distribution 
protocol 



Here, we repeat mostly the content of the same point as in [22]. It is done in order to provide an 
independent reading of the current paper. 

2.1 Model for key distribution and the main criteria for protocol efficiency 

Let us consider the model of key distribution between a legal user, Alice (A), and another user. Bob 
(B), in the presence of an active adversary. Eve (E), assuming that initially the legal users do not 
have shared secret keys. The key distribution protocol (KDP) consists of two phases: initialization 
and key generation. 

In the KDP initialization phase, A, B, and E receive random i.i.d. sequences X = {xi}-^^, 
Y = {yi}i^i, Z = {zi}-^^ G {0,1}'^, respectively, such that for each i, Pr (xj j^ yi) = Pm and 
min{Pr (xj ^ zi) ,Pr (yj 7^ Zj)} = p^ (see Figure IT]). One of the methods to provide legal users A, 
B with the sequences X, Y is to generate the truly random sequence S = {si]^^^ G {0, 1}'^ by 
some trusted party, say source S, and then to transmit it to the legal users A and B over noisy 
channels (as in the source model f9], [E]). We will assume that A and B receive the sequences X, Y 




Figure 1: Model of key distribution protocol over noisy legal channels in presence of an active 
adversary. 

over binary symmetric channels (BSC) without memory with error probabilities tta = Pr (xi 7^ Sj), 
ttb = Pr (yj 7^ Si), while the adversary E receives the sequence Z over a BSC with error probability 
tte = Pr (zj ^ Si). It is easy to see that if the original sequence S is truly random then the 
same property holds for the sequences X, Y and Z. (Examples of practical implementation of the 
initialization phase in real world can be found in [22j). In this phase it is natural to assume that 
the adversary is unable to intervene the transmission from S to A and B. 

The key generation phase consists in an information exchange over a public discussion channel 
(PDC) with a goal to share eventually the final key. We note that the use of PDC is necessary 
in order to send check symbols to test the agreement of the strings X and Y and sometimes for 
the parameters of the hash function or extractor seed transmission (see details in the following 
sections). The adversary E can receive all information transmitted over the PDC. We assume also 
that the PDC's between legal users and E are binary noiseless channels (if E does not intervene 
in transmission). However E can change or replace this information as desired and therefore it is 
necessary to authenticate messages transmitted over a PDC in order to detect any intervention of 
E and to reject suspicious messages. 

Let us define the following parameters of the key distribution protocol characterization: 



i: the key length (the number of bits which are contained in the keys K^ and Kb), 

I{Ka,U): the amount of Shannon's information in possession of the adversary E about the 

final key Ka after receiving all acceptable information U , including the sequence Z and the 



other messages transmitted over the PDC 

Pe = Pr {Ka 7^ Kb)' the probabihty of legal users keys disagreement, 

Py: the probability of false rejection of the KDP protocol (when A or B falsely believe that E has 
intervened the PDC), 

Pd'- the probability of deception false information provided by E during information transmission 
over PDC (it can result in an opportunity to fix a key between any legal user and E although 
leaving the legal user on the belief that he (she) has shared a key with his (her) legal partner), 

Rk- the key distribution rate (the ratio of the key length i to the length of sequences X, Y), 

Rk = Ti- 
lt is reasonable to impose the following conditions on the KDP: 

£ = r\ (1) 

I{Ka,U) < J'^"'"^, (2) 

Pe < Pf"^: (3) 

Pf < pf^^ (4) 

Pd < Pf^: (5) 

where P''^'' denotes the required key length and the superscript adm stands for admissible parameter 
value. We will say that the above conditions are requirements of the KDP. The efficiency of the 
KDP will be estimated by the key rate R^ and then among all protocols satisfying ([T])-([5|, we will 
select the most efficient by making Rk to attain its largest value. As we will show later, some 
inequalities ([2])-([5| may randomly hold. Then an additional requirement can be stated as 

Prisk < P'risk > (6) 

where P^f^ is the probability that at least one of the inequalities (N)-J5J) does not hold. 



2.2 Known asymptotic results regarding key rates 

Let us denote by R*, R** the maximum achievable key rates in a KDP between the legal users 
under the condition of a passive or active adversary, respectively. In the papers [12] , [Hj , [T7] , [19] 
the proofs of these values were presented. For the source model of the wire-tap channel with 
initialization phase in the KDP using BSC with probabilities tta, t^b, t^e the following theorem 
holds: 

Theorem 1 (see [19] ) // tte > t^a <ind tte > ttb , then R* = R** . If either tte < tta or tte < ttb 
then R** = 0. 

We note that under the conditions tte > it a and tte > ttb, the users A and B either share the key 
or they may detect interception in the case of E's intervention. This fact cannot be interpreted as 
a defect of KDP because E can use even a simple strategy: she tries to break off the PDC between 
legal users in order to impede the completion of the KDP. Let pm, Pwi Pw^ denote the probabilities 
of disagreements among the sequence pairs {X,Y), (X,Z), {Y, Z) respectively. Then 

Pm = TTA + TTB - StTaTTb 
Pt = T^A + TTE- ^TTATTE 
Pw = TTB + TTE- 2tTbTTe 

It is easy to see that if tte > tta then p^ > pm and similarly if tte > ttb then p^ > pm- We will 
consider the worst case for legal users as pw = min{p^,p^}. 

After the execution of the initialization phase the source model is reduced to the channel model 
where user A sends the sequence X to user B who receives it as Y , whereas E receives X as Z . 
Then the probability of error on the main virtual BSC between A and B is pm and the probability 
of the wire-tap virtual channel from A to E is Pt^,. (The PDC remains the same after such reduction 
of the source model to the channel model.) 

Theorem 2 (see [19j) In the channel model setup with probabilities pm, Pw the maximum key 
distribution rate is 

R* = 9{Pw) - g{Pni), (7) 
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where p ^ g{p) = —p logp — {1 — p) log(l — p) is the entropy function. 

2.3 Error correcting codes 

Let C be a binary linear error-correcting {k + r, r)-code and let C^ be a string consisting of r check 
symbols. It has been proved in |23] that if the information symbols are transmitted on the BSC 
with the error probability pm, whereas the check symbols on the noiseless channel, then the average 
error probability of decoding on the ensemble of all {k + r, r)-codes meets the following modified 
Gallager's bound 

P, < 2-*^-^(«^), (8) 

where 

pi2Rc - 1) 



E(Rc) = max 
pe(o,i) 



Eo{p) 



1 



(9) 



R, 

Eo{p) = p-{l + p)log^[p^^{l-p^)Tt-,] (10) 



is Gallager's function for a BSC with the error probability pm 

«= = kT-r <"' 

is the code rate. We note that in the frame of the above model, the code rate Re satisfies the 
inequality 

0<?%^<C*, (12) 

where C* = 1 — g{pm) is the capacity of the BSC with the probability of error pm- 



It follows from (12) that \ < Re < jt-4^ — y In the asymptotic case Re — )• jjA — y, then 

r = kg{pm)- (13) 



We see from (13) that an arbitrary small value of the erroneous decoding probability is achieved 
for large block length if the number r of check symbols (but not block length) is proportional to 
the number of information symbols k with coefficient g{pm)- 



2.4 Authentication based on the class of universal hash functions 

In order to execute the authentication procedure, we use the universal hash function which are 
described below. 

For any finite set A, let 1^41 denote its cardinality. For any two finite sets A, B, let if be a set of 
hash-maps A ^ B. For each xo,a;i G A, let (5//(xo,xi) = \{h £ H\ h{xo) = h{xi)}\ be the number 
of hash functions in H that collide in xq and xi. We recall that H is universal2, U2 in short, if for 
each 2;o,2;i G A, 6h{xo,xi) < |^. 

Let Pcoi be the so called collision probability, namely the probability that there occurs a pair of 
elements in A colliding under an uniformly chosen map h € H. Clearly, Pcoi < |i?|^^- The class H 
is strongly universal2, SU2, if 

yx£A,ybeB: \{h £ H\ h{x) = y}\ = \^ (14) 

\B\ 

and besides for any distinct xo,xi £ A, and any yo,yi € B, 

\{h G H\ h{xo) = yo & H^i) = yi}\ < T^- 

\£3\ 

For a given e > 0, the class H is e-almost universal, e-AU2, if for all xq, xi G A: 6h{xq, xi) < e \H\. 



The class H is e-almost strongly universal, e-ASU2, if (14) holds and for any pairs xo,xi and yo,yi 
of distinct points in A and B, 

\{h G H\ h{xo) = 2/0 & Hxi) = yi}\ < e^. 

Naturally, each class \B\^^-ASU2 is also SU2- 

Examples of hash functions classes: We assume that the sets A and B consist of all binary 
sequences of lengths a and b, respectively: A = {0, 1}", B = {0, 1}'', hence |^| = 2°", \B\ = 2*. 

An U2 class. The set A can be identified with the Galois field GF{2'^). For each s G GF(2''), 

let /is : A^- B, x h^ [xs\b, where the map z >-^ [zjf, takes the b least significant bits in z. The 
class {/is}gg^ is 1/2- Such hash functions are described uniquely by binary strings of length 
a. 



An SU2 class. For each s,t G GF(2"), let hgt '■ A ^ A, x >-^ sx + t. The class {hgtJsteA 

is SU2 and clearly this class can be indexed by sequences of length 2a. 

An e-ASU2 class. It has been shown in [23] that the hash functions chosen from an e- 

ASU2 class are connected with incomplete balanced schemes. The parameters of the e-ASU2 
class can be described as 

\A\ = q^' ,\B\=q, \H\ = q^+^ , e = ^±^, (15) 

q 

where g is a power of a prime and i > 1 is an integer. 

Let us analyze the procedure of message authentication. Let x be the message to be authenticated 
during its transmission from user A to user B. User A forms the authenticator y = h{x) of his 
message x using the keyed hash function h £ H known by him (but unknown for adversary the 
E), then A appends y to x and sends the pair (x,y) to the legal user B. In order to check the 
authenticity of the message x, the user B receives a pair (x, y) (which may be forged), B forms the 
authenticator y = h[x) with his knowledge of the secret hash function h and compares y with y. If 
they coincide then B accepts x, otherwise he rejects it. 

It was shown in j24j that if the hash functions, chosen from the e-ASU2 class, are used in the 
authentication procedure then for the best adversary's strategy consisting in an impersonation or 
substitution of the messages, the following probability bounds hold 

P^ < \B\-\ (16) 

Ps < e, (17) 

where Pi is the probability of message impersonation, and Pg is the probability of message substi- 
tution. 

Let us define the probability of undetected false message deception by the adversary as P = 



max{Pj,Ps}. The bounds (16), (17) will hold only if the active adversary ignores completely the 
used hash function h in the authentication procedure. But there may be situations when the keyed 
hash function is partly known by the adversary although authentication procedure is still possible. 
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In order to clarify this situation let us recall initially from [M] that for a discrete random variable 
^ taking values over a set X with probability distribution P^ the minimal entropy is 

Hoo{C) = -logmaxP£(x), 

xex 

and the Renyi entropy of the random variable ^ is 

ii2(e) = -iog^p|(x). (18) 

x&X 

Theorem 3 (see [25| ) Suppose legal users A and B have the random key h with length Iq within 
an authentication scheme based on e-ASU2 hash functions where e = 2^^. Denote by U the total 
knowledge of E about h. Then, assuming that for any sample u 

Hooih\U = u)>tio, 0<t<l, (19) 

the probability Pd of message undetected deception is upper bounded as 

f b-£Q{l-t) \ 

2.5 Authentication based on noisy channels 

The message authentication considered above and based on the use of hash functions from either the 
class SU2 or the class e-ASU2 requires a possession by legal users of the secret or partly secret keys. 
However such keys cannot be taken directly from the strings X^, Y'^ shared in the initialization 
phase because they differ even for legal users. On the other hand it is impossible to conciliate 
these string by sending from A to B the check symbols strings of X because PDC is get not 
authenticated and B could "conciliate" formerly the false string Z^ with E. 

In order to avoid this situation it is necessary firstly to design a keyless message authentication 
based on noisy channels. In [12] a special type of codes has been proposed in order to solve this 
problem: the so called authentication codes (AC). Let us describe them briefly. 

In an initialization phase the users share the strings X^ , Y^ over a BSC (Pr (xj 7^ yi) = pm) and 
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they agree an error correcting binary systematic (n^, ka)-code V in order to authenticate a length 
ka message. The authenticator w = (wi, . . . , Wna) of a message m is formed as fohows: for each 
i let Vi be the i-th bit of the codeword in V corresponding to m and Wi = Vi ii Vi = 1, or let it 
remain undefined otherwise. 

After receiving a pair (m, w), the user B forms his authenticator w for the message m using 
his string Y according to the agreed procedure and compares w with w. If the number of the 
coinciding bits in them is less or equal to some given threshold A^ then the message m succeeds 
as authentic, otherwise it is removed as forged. The AG's were investigated in P^ and can be 
characterized by two probabilities: 

Pf. the probability of false removal of the message although adversary E does not intervene at all; 

Pd- the probability of the deception of false message, i.e. the probability of the event that E has 
forged a message and this fact was not detected by B. 

Pf and Pd do not depend on ordinary minimum code distance of the code V but on the so called 
minimum asym.m.etric sem,idistance dgi that is determined by the minimal number of differences 
between and 1 symbols in any pair of distinct code words of V . 

Theorem 4 (see |22|, I26| ) Let V he an (ua, ka)-AC with constant Hamming weight r for all non- 
zero codewords and with asymmetric semidistance doi • Then the probabilities Pf and Pd for the au- 
thentication procedure on noisy wire-tap channel with parameters Pm andp^, can be upper bounded 
as follows: 



JZ ( j °MPm(l-Pm) 



i=o 

It is a very hard problem to find doi for any linear code. But there exists a very simple method to 
design the code V with known doi; given the linear (no, /co)-code V with known ordinary minimum 
code distance d proposed in [T2] . 
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Namely, let us substitute the symbol 1 with the symbol pair 10 and the symbol with 01 in 
y.Then evidently the parameters of the code V are: 

na = 2no , ka = ko , doi = d , r = no- (20) 

We have proved in j22] the following theorem with the use of the above code. 

Theorem 5 Let V be a (ko + rQ,kQ)-error correction code with minimum distance d that is used 
in the authentication procedure. Then for any p,q > there exists an integer k'^ and an AC, 
guaranteeing y' "^ Q; -^f — P' ^d ^ P for all ko > /cq. 

It follows from this theorem that 



ro 

■ as A;o — )■ +oo. 



ko + ro 

This means that the length of the authenticator approaches zero as the block length tends to 
infinity. Other methods to design constant weight AC were investigated in |27j . 

2.6 Extractors 

Let us recall the notion of extractor and strong extractor |28l \29\ l30] . Two probability distributions 
P, Q, defined on the same set X, are called e-close if their statistical difference 



dif{P,Q) = \Y.\Px{x)-Q, 



does not exceed e. A map E : {0, 1} x {0, 1}'" — )■ {0, 1} is an [r], e) -extractor if for any probability 
distribution random variable X on {0,1}'^ such that Hao{X) > rj and any uniformly distributed 
random variable T on {0, 1}", the statistical difference probability distribution of the extractor 
output E{X, r) with respect to an uniform distribution on {0, 1} is at most e. In order words, the 
extractor maps a random sequence X of length k with symbols taken from an ensemble of minimal 
entropy Hoo{X) to a random sequence of length (. that is e-close to an uniformly distributed sequence 
with the help of a truly random sequence F of length u. The last sequence can be seen as a "seed" 
of the extractor. The extractor E[X,T) has parameters {k,rj,u,£,e), where k is the length of 
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input random sequence, r] is the evaluation of minimal entropy {Hoo{X) > rf) on the set of input 
sequences, u is the length of the seed F, i is the length of the output sequence, and e is the statistical 
distance between the output probability distribution and an uniform distribution on the output 
set. 

A mapping E : {0, l}'^ x {0, 1}" — t- {0, 1}^ is called a strong extractor E{X, T) if for any proba- 
bility distribution random variable X on the set {0, 1} having minimal entropy Hoo{X) > t] and 
for any uniformly distributed random variable T on the set {0, 1}" the probability distribution of 
the concatenated variables (F o E{X,r)) is close to an uniform distribution on {0, l}^"*"". More 
specifically 

dif(ToE{X,T),U''+^) <e. 



This means that the strong extractor provides the closeness of probability distribution for the 
concatenation of the output extractor sequence and the seed sequence to an uniform distribution. 
In the current paper, we will consider only extractors based on the construction |28t [29] which is 
an improvement of the originally proposed by Trevisan j 30| . 

Theorem 6 (see theorem 22 in |29| ) For every k, Hoo{X), i € N and e > 0, such that £ < 
Hoo{X) < k, there are explicit strong {Hao{X),e) -extractors E : {0, l}'^' x {0, 1}" — > {0, 1}^~^ with 

or 

« = o(log2(^)).log2Q), (22) 

where 1 + ^ = j^, /^ < 5 and A = 0{d). The value A is the loss of extractor output sequence 
length. 



The first extractor (21), with ^ — - constant, is used for extraction of an arbitrary part of 



randomness {Hao{X )) from the input sequence X , whereas the second one (22) is needed in order 
to extract all randomness i = Hoo{X^) from the input sequence X^. 

We are not going to use the estimates based on the O-operator and therefore let us find a more 
accurate estimate for the length of the seed. For this reason we consider in greater detail the design 
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Figure 2: Design of the Trevisan's extractor. 



of the Trevisan's extractor modified by Raz, Reingold, Vadhan [29]. 

In order to design the Trevisan's extractor it is necessary to reahze three components: 

1. The hnear error code W: With parameters {n^k) and minimal code distance dyj, where 
n = 2^^, 1/ G N. It is proposed to take this code as a concatenation of the Reed-Solomon and 
the Adamar codes. 

2. Combinatorial block design scheme. [Balance incomplete block design^ BIBD). This is a family 
of sets S = {5i, /S'2; • • • ; 'S'^} holding the following properties: 



i / J 



5iC{l,2,...,w}, 



1 5i n Sj I < log c with c > 1 . 



(23) 



This means that the family consists of (. sets or blocks, each consisting of v elements taken 
from the set of integers {1, 2, . . . , n}, while the number of elements contained simultaneously 
in any pair of blocks is at most logc. Such construction is designated as a (vjc) -scheme. 

3. Boolean function /: This map is defined over {0,1}'^ and for each ai,...,a,y G {0,1}, 
/(oi, . . . , Uu) is a codeword of the (n, A;)-code W. 

The design of the extractor based on the three components given above is presented in Figure [2| 
The algorithm is executed in the following stages: 
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1. The input sequence x is encoded as w with the error correcting (n, A;)-code W. The word w 
gives the value of the Boolean function / : {0, 1}'^ — )■ {0, 1}^. 

2. The random sequence 7 of length u determines the samples 715*2, consisting of v symbols of 
7 with the use of blocks Si belonging to the (i^, c)-BIBD. This means ^\Si = ['yjg^s- 



3. Output w = / f (7|S'j)j^^ j as the result of the extractor. 
In the modified extractor version at |29], it was proposed to use a {1^, c)-weak scheme, in which the 



condition (23) is changed by the condition 



where c is some constant, c > 1. The length n of the code W is chosen in [29], p. 106, according 

to the condition 

k 
log(n) = 0(log-). 

Since w is the output of a Boolean function with 1^ arguments, n should be equal to 2^^. Obviously 
this condition will be fulfilled if 



log- 



k' 



(24) 



where [x] is the "ceiling" of x (the least integer greater or equal than x). 

The characterization of strong extractor is determined by the following statements. 

Theorem 7 (Proposition 10 in |29| ) If S = {Si, . . . , S() (with Si C j) is a weak {u, c)-design 
for 



H^{X'')-3log--u-3 
e 



(25) 



then E : {0, 1}^ x {0, 1}" -^ {0, 1}^ is a strong {H^{X^),e)- extractor. 



Theorem 8 (Lemma 15 in [29j ) For every i^, £ G N and O I, there exists a weak {u,c)-design 

S = [Si, . . . , Si) (with Si C 7J and 



u 



Inc 



(26) 



Moreover, such a family can be found in polynomial time poly{i,u). 
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Theorem 9 (Lemma 17 in [29]) For every z^, ^ G N and < /z < ^ > there exists a weak {v, l+ji)- 
design S = {Si, . . . , Si) (with Si C j) with u = O iu"^ ■ log ^ j . Moreover, these families can he 
found in polynomial time poly{l, u) . 



The results of Theorem [6] will be avoided in our further investigation because a presentation of 
the output sequence length u in the form ^ — A is inconvenient in the optimization procedure. 
We will get an estimate of u taken from the results of Theorems l7](9] directly. More specifically, 



using ( 24 ) and ( 26 ) one can write the relation for the necessary number of seed symbols for the 



first extractor (21) in Theorem 6 



u 



[log 



Inc 



log 



(27) 



For the second extractor (22), it follows from the proof of lemma 17 in [29] that uq = ["jjj^] 
where u = t ■ uq, t 



log 



< /z < i . Then in terms of ( 26 ) we get 



[log^ 



In 2 



log 



k' 



log- 



Ai 



2.7 Privacy amplification 

The procedure of privacy amplification (PA) at the final stage of the key generation between users A 
and B has been investigated in detail in |10lll7j . PA can be implemented either by hashing [inillZ] 
or by extraction [28j . We will consider in the current paper the second approach. 

In order to compare our new results with the results obtained in [22j where hashing has been 
used as the privacy amplification procedure, let us specify an application of both methods. 

The sequence X'^ of length k bits is mapped by the user A to the sequence X^ of length £ 
through a keyless hash function from the class U2, or SU2- In a similar manner the user B forms 
his key X^ after error-correcting his sequence Y^. 

The most important parameter of the PA procedure is the residual Shannon's information 
received by the adversary E, concerning the final key K^ = Kb- The estimates of this information 
leaking of E are given in |10|,ll7j for different settings of wire-tap channels. The more general bound 
is presented below. 
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Theorem 10 (see |10j ) Let X be the sequence of length k transmitted from A to B over a BSC 
with the error probability Pm CLnd received by B as the sequence Y^ . Assume also that Z^ is the result 
of receiving X^ by the adversary E over a BSC with probability p^, while the Renyi information 
contained in Z about X is t. Let H be a U2-class of hash functions from {0, 1} into {0, 1} , 
known by all participants (A, B and E) and let h & H be a truly random hash function chosen 
by A, transmitted to B over a PDC. If the users A and B compute their keys as Kj^ = h{X^), 
Kb = h{Y^), then the amount of Shannon's information about the keys Ka,Kb is upper bounded 
as 

I(KA;Z\h)<—^-^. (28) 

The Renyi information t is connected with the Renyi entropy H2{X''\Z^) as 

t = k-H2{X^\Z^). (29) 



For the BSC used as wire-tap channel we have by (18) 



H2{X'^\Z^) = -k log {pi + {I -p^f). 

If the adversary receives some extra information about X aside the information contained in Z 
(for instance the sequence C^ of check symbols of length r eavesdropped by E over the PDC), then 
the amount of conditional Renyi entropy H2{X \Z \ h, C^) that received E can be estimated by the 



theorem 11 appearing below. (This theorem also gives the estimation of the amount of conditional 
minimal entropy Hoo{X^\Z^, h, C) which we use later). 

Theorem 11 (see |17] ) Let X and C be two random variables and let s > 0. Then the following 
inequalities hold: 

H2iX)-H2{X\C = c)<log\C\+s (30) 

S -1 

with a probability at least 1 — 2~2~ ^ 

/7oo(^'=)--?^oo(^^|C = c)<log|C|+S (31) 

with a probability at least 1 — 2~^ . 
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We can apply (30) in order to estimate H2{X \Z ,h,C^). Then we get 



fcl 'yk 



HiiX^lZ^, h, C) > H2{X^\Z\ h)-r-s 



(32) 



It follows from (29) and (32) that 



i = k-H2iX^\Z\h,C'') 
< k-H2{X^\Z^,h) + r + s 
= t + r + s. 



(33) 



Substituting t from (33) into (28) instead of t, we get the upper bound of Shannon's information 
leaking to E 



I{KA;Z\h,C')< 



^—{k—i—t—r—s) 



s -I 

that holds with a probability Prisk < 1 — 22~ . In order to compare the performance of privacy 
amplification based on hashing and on extraction, let us prove a new lemma establishing a con- 
nection between the Shannon's information leaking to adversary regarding the key at the output 
of the extractor, and the statistical difference among distribution of the final key and an uniform 
distribution. 

Lemma 1 If the statistical distance between the output of the extractor generating the length i key 
and an uniform distribution is at most e, then the amount of the Shannon's information concerning 
the key got by any adversary is upperly bounded as 



I{K^; Z^lr"") <2i^e. 



Proof. The following inequality holds by definition of strong extractor 



difiV" o Ext(Z*^, r'^), y^+") < e. 



(34) 



The meaning of this inequality is that the probability distribution of the concatenation of the 
extractor's output and the "seed" F" is close enough to an uniform distribution. In order to 
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simplify the notation, let us denote by D the term at the left of ( 34 ) . We note initially that for an 



uniform distribution on the space y^+", the following equality holds 



D = M^^.[di/(Ext(Z^7"), V')]. 



(35) 



where 7" is a random sequence and M^u [•] is the expectation with respect to the distribution on 
r". In fact, D itself can also be expressed as the term: 



- y. 



PEW^e') Prui^) - Py,{v')Pvu{v-] 



(36) 



where e^ is the output sequence of the extractor E. 



Since the distributions i-'r"(7") and Pv^{v^) are both uniform, the term (36) gives 



D 



lj;Pr„(7") j;|p^|r„(e^)-Pv'^(t 
lY.PM^ndtf(ExtiZ\n,V') 



M^.[d^/(Ext(Z^7"),r)] 



proving (35). By combining (34) and (35) it is obtained 



M^4(/i/(Ext(Z^7"),y")] < e 



(37) 



Using the well known Markov's inequality, (37) implies 



Pr" 



d^/(Ext(Z^7"),F^)<pe 



> 1 



P 



where p > 1 is some arbitrary value. 

In the lemma 6 at [17], the following inequality has been proved which put in our own notation 
states 

H fExt(Z^ 7")) >£(l- di/(Ext(Z\ 7"), V^) - 2-^) . (38) 
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Taking into account that the output extractor sequence is just the key, we can write 



H ('Ext(Z^7")) = H (k^IF'' = 7" 



(39) 



Then by substituting (39) into (38), we have that the inequahty 



H K*|r" = 7" > £ 1 - dif{Ex.t{z\ 7"), y") - 2 



(40) 



will hold with probability 



Pp" [inequality (40) holds] > 1 



(41) 



It follows from (41) a trivial estimate for the averaged value H (K\r^ = 7") over 7", namely 



H K^W''] > ( 1 



1- pe-2- 



(42) 



After a simplification on the right side of ( 42 ) and by neglecting smaller values than 2 



i/(K^|r") >i(l-p€-- + e 



Then for the amount of information leaking of an adversary concerning the key K , given the 
knowledge of F", the following bound is obtained 



/(i^^z'^ir") < -+ee{p-i). 



(43) 



The right side of ( 43 ) is minimized under the condition p = —j= giving the final inequality 



/(iv:^;Z^|r") <U^e 



providing thus the desired result. 



D 



It follows from the above lemma that if the value of the statistical difference at the extractor 
output that forms the length i key does not exceed e, then the amount of the residual information 
regarding the key obtained by the adversary does not exceed 2^y^. 
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This means that a requirement, regarding the amount of Shannon's information on the key 
leaking to an adversary, of the form I{K'^; Z'^jr") < 7'^°'™ wih be fulfilled if 2iy/^ = 7"'^™. This fact 
results in the following requirement to the extractor's statistical distance: 



jadm \ ^ 
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(44) 



3 Key distribution protocols 

3.1 Statement of the protocols 

Two key distribution protocols in presence of an active adversary have been proposed by Maurer 
and Wolf in [17J: the UH-protocol, in which privacy amplification procedure was executed using 
hash functions and the EX- protocol based on extractions. It has been shown in [17J that the EX- 
protocol majors the UH-protocol with respect to several conditions. 

We want to investigate a performance of these and other new protocols. We will show that our 
new protocols are superior than those considered in |17| for non-asymptotic cases (e.g. when the 
sequence lengths are finite). 

Initially we consider modified UH- and EX- protocols and denote them as a and aext, respectively. 
A difference between the original and the modified protocols is determined by two factors. 

1. We consider protocols under the condition vr^i / 0, vr^ 7^ 0, 7r^,7rB < vr^;, or equivalently the 
conditions pm > 0, pw > Pm, see Figure [ij This requires to send the check symbols from A 
to B in order to conciliate X^ and Y^. 

2. Instead of the authentication algorithm ^''request-response" presented in pT], we will use non- 
interactive the AC-based algorithm (see Section ^ because this allows the users to provide 
authentication even when the sequences X and Y do not coincide completely. By the same 
reason, the authentication algorithm and the number of substrings of the original strings X 
and Y^ are changed. 

Before the execution of the a, Oext-protocols, the users A and B divide their respective sequences 
X'',Y'', into X'l\ X^^ and YJ'', Y^^ of lengths A;i, /c2. (The first parts X^' and Y-^' will be used 
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for key generation in the execution of the PA procedure while the second parts X2 ^ and Y2 ^ will be 
used in the execution of the authentication procedure). Since the a-protocol was already considered 
in [52], we move on to the ae^i-protocol |31| . 

1. The user A forms the string C{^ of check symbols of length ri to the string X^^ using a 
(ki + ri, A;i)-error correcting code Ci. (This code should be agreed by users in advance.) 

2. The user A generates a truly random binary sequence 7 (which will be used as an extractor 
seed) of length u. 

3. The user A forms the authenticator w for the message (C{^,7) using for that an AC based 
on an error correcting (no, /cq = ri + u, d)-code and the sequence X2^ ■ 

4. The user A sends to B the message (C[^,7) over a PDC appended with the authenticator w. 

5. The user B verifies the authenticity of the message (C[^,7) through the known (no, A;o)-AC 



rk2 



and his string 1^^ (see section 2.5). If authenticity is confirmed, then B goes to the next 



step. Otherwise he rejects the KDP. 

6. The user B corrects the error in string Y-^ ^ through the check symbols string C[^. We denote 
by y^ ^ the string Y-^ ^ after error correction. 

7. In order to get the keys K^ and Kb both users A and B execute a privacy amplification 



procedure based on an extractor (see section 2.6): Ka = Eext{X\,"f), Kb = EextiXiil)- 



Recall that the a-protocol differs from the aea;t-pi"otocol in that it generates a hash function h 
in step 2. This hash function jointly with the check symbols of C\^ and the authenticator w are 
transmitted to B (steps 3-5). In the seventh step, this hash function is needed for key generation: 
Ka = h{Xi), Kb = h{Yi). 

It has also been proposed in [22] a new /3-protocol that differs from the a-protocol in the 
following: After the execution of the initialization phase, both users A and B have got the strings 
that can in fact be used to form the hash functions. In this way, we do not require to send the hash 
functions over the PDC, hence the length k2 used before for authentication of the hash function 
can be shortened. Therefore we may expect that the length of the substring Xi is increased (if the 
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total length of the string X is fixed). But such conclusion is not so apparent because we have to 
extract the hash function as a segment from the string X. 

A similar problem appears in the case in which an extractor is used instead of a hash function 
for privacy amplification. In the aea;t-protocol A generates a truly random sequence 7 and sends 
it to B jointly with the authenticator of 7. But the required sequence 7 can be gotten directly by 
both users A and B from the initially distributed strings X and Y . This results in the following 
/^exi-protocol. It is worth to note that although 7 is not uniformly distributed from the adversary's 
point of view this has no relevance for strong extractors. 

Within the above setup, the users A and B divide the strings X^ , Y^ into three disjoint parts 
Xfi, X!^\ X^* and Y^\ Y^^ Y^'' with ^1 + ^2 + ^3 = k. Then they execute the following steps: 

1. The user A forms the length ri string C[^ of check symbols of the string X^^ using the error 
correcting (fci + ri, /ci)-code Ci, agreed in advance. 

2. The user A forms the length r2 check string 6*2^ of the string X^^ using the error correcting 
(^3 + ^2, fc3)-code C2, agreed in advance. 

3. The user A forms the authenticator w of the message ((7[^ , Cg^) using an AC and his substring 

X^\ 

4. The user A sends to B the message (C[^, C2^) over a PDC appended with w. 

5. The user B verifies the authenticity of the message (C[\ Cg^) using a AC and his substring 
Yg ^- If it is confirmed then he goes to the next step. Otherwise he rejects the KDP. 

6. The user B corrects errors on strings Y^^ , ^ ^; using the check strings C[^ and C2^. Denote 
hy Y^^ , ^3 '\ the strings Y^^ , Y^'^^ , after error corrections. 

7. The users A and B take their substrings ^3^, Y^ ^, where k^ = u, as the second argument 7" 
in their extractors. 

8. Both users A and B form the keys as Ka = EextiXijX^), Kb = Eext(Xi,Y3)- 
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3.2 Performance evaluation of the protocols 

A theorem has been proved in f22] determining the optimal parameters for both the a, and /?- 
protocols depending on the posed requirements. Let us prove a generalization of that theorem for 
the a, P, aext, and /3ea;t-protocols. We will assume that for the a, and /3-protocols a hashing is 
used as privacy amplification procedure, whereas for Oext, and /3e3;t-protocols an extraction is used. 
Moreover we assume that the first extraction scheme considered in section 12.61 is used, where the 



number of random bits u is determined by equation (27). 



Theorem 12 Let us assume that the users A, B and the adversary E have binary strings X , Y 
and Z^ , respectively after execution of the initialization phase over the wire-tape channel, pw = 
Pr {xi / yi), pw = minjPr {xi ^ Zi) , Pr {yi / Zi)], pm > 0, pw > Pm- Then A and B are able to 
form a common key of length i satisfying the requirements (^-M) after the execution of any of 
the a, j3, Uext, <ind fiext-pfotocols if the parts of lengths ki, /c2 on which were divided the substrings 
X , Y for the a, and aext -protocols or the parts of lengths ki,k2,k^ on which were divided the 
substrings X^ , Y^ for the (3, and /3ext-protocols satisfy the equations listed below: 



for all protocols 



for a and ^-protocols 



I padm 



£ + ri - 2 log P^f;^ - log( J"'^'" In 2) - 2 



for aext, o,nd f3ext-pi"otocols 



ki-H^ = £c + r,- log P^fJ^ + u 

jadm\ ~^ 



+31og£ (^^) +3, (47) 
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where Rc^ and E{Rc^) are determined by [^-(11) and 



logki 



21 



-2 



Inc 



logA;i 



Tadm 



2£ 



(48) 



is the number of the extractor random symbols, c is a parameter under optimization, Ho 
-logmax(p^,l -pw), 



M:-.(^ 



2kn 






P' 



adm 



(49) 
(50) 



i=0 



Y^{y^{i-p, 



\d—i 



j=0 ^ -^ 



Tyadm 
^d 1 



(51) 



where 



fco = < 



(52) 



ki + ri /or the a-protocol, 

2ri /or t/ie ^-protocol, 

u + ri for the aext-pfotocol, 

ri + r2 for the /3ext -protocol, 

and r2 being the number of check symbols of the error correcting (/cs + r2, k'i)-code C2 found similarly 



as in equation {45), 



ks = < 



for the a-protocol, 

fci for the P-protocol, 

for the aext-pfotocol, 

u for the Pext-pTotocol. 

The key rate is then determined as follows: 



(53) 



Rn 



R, 



Olext 



max 



ki + k3 

£ 

ki + /C2 



Rb 



2ki + k^ 



. Rl3e.t = max 



£ 



u + ki + k2 



(54) 
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Proof. For the a and /3- protocols the theorem has been proved in p2]- Let us prove it only for 
the Oext, and /Sexi-protocols. 

Let the bounds of the KDP parameters meet exactly all requirements pll-Q, e.g. the following 
equation hold: 

p -- padm __ 2—kiE{Rci) 



where Rd = Y^hr is the code rate, and E{Rci) is computed by teMlO). Under the condition that 
the adversary gets the sequence Z ^ over a BSC with error probability p^) the conditional minimal 
entropy is 



H^ iX^^Z'"' 



hH^iX\Z) 
-/i:ilogmax(pu;,l - p^ 
kiHoo- 



Since the adversary receives also the check block C{\ in line with (31) the following inequality 
results: 

H^ (x'=i|Z'=SC7[i) > kiH^ -n-s, (55) 

which does not comply with the probability Prisk ^ '^'^■ 



By substituting (55) into (25), we may write e < 2s where r = ic+Slogi — kiHoo + fi + s+u+S. 



Let us assume that /""™ is chosen in such a way that 



23 = loe 



adm \ ^ 



u 



resulting thus condition ( 44 ) . Hence we can write 



£c + 3 log^ - A;iiJoo + ri + s + li + 3 = 3 log 



jadm \ ^ 



2e 



(56) 



Assuming Prisk = Prisk ~ ^ '^, (56) holds eventually from (47). The value u in (56) is the number 



of the extractor random symbols. In order to find it, we can use (27) substituting e by ( -i^j- ] in 



line with Lemma IT] that results in ( 48 ) . A solution of the equation system ( 45 ) and ( 47 ) allows to 
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find the parameters ki, ri, given a fixed c. It will be shown in the sequel that the key rate can be 
maximized by a proper selection of the parameter c. 



In order to find k2 let us assume that the probabilities Pj and Pd have equal values, Pj = p^"™^ 



Pd 



padm^ with 



jadm 



-yadm 



2no 

E 

i=A™+l 
A 



2^oA„i ^1 „ ^2no-^ 



)P^(1 



Pn 



(57) 



E(')pj.(i-P.r 



i=0 



i=o ^ -^ 



(58) 



where no,kQ,d are the parameters of error correcting codes used in the AC. 

Recall that for the AC we had k2 = 2no where no is the length of the error correcting (no, A;o)- 
code with minimum distance d. For the aext-protocol ko = ri + u, while for the /3ea;t-protocol 
^0 = ^1 + ^2; where r2 is the number of check symbols in the {k^ + r2, A;3)-code 62- This gives 
relation (52) for the parameter /cq. 



Using the Varshamov-Gilbert inequality [32] connecting nQ,ko,d and taking into account that 
/c2 = 2no we get 

k2 (l - g (J^]] = 2ko. (59) 



Solving the equation system (57)-(59), equivalent to the equation system (49)-(51), we find the 



parameters k2,d. The value r2 is calculated by (|8|)-(10), in which it is necessary to let k = ur = r2, 



r, — n P — po-dm 

In line with the above protocols, we have that for the aext-protocol, k^ = and for the Pext- 



protocol, ^3 = u. This fact proves (53). Then relation (54) is apparent from the protocols descrip- 
tion. 



Remark 1 // the solution of the system (4-5)-(53) is not unique then it is reasonable to select any 
of them niaxim^izing the key rate. 



Remark 2 It is worth to note that the values ki,k2,k?j,c found for the same requirements P^ 
jadm^ p^dm ^ padm ^ padm ^ ^^^ j^^, (j^^jj^j-^jii protocols, may be different. 



adm 
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/ = 510 



P,„=0,01 




Figure 3: Dependence of key rate versus the parameter extractor c for the aea;t-protocol. 



Remark 3 (Choice of c in (47)-(48)) In figureslM and\^ the dependence of the key rate for the 
Uext-P'^otocol and the fSext-pfotocol is plotted versus the parameter c, given fixed values (. for different 
error probabilities in the main channels. 



We assume that p^ = 0.2, 1"'='™ = IQ-^O, P^dm ^ padm ^ padm ^ padm ^ ^Q-5 ij^ ^i^g plotting 

of these curves. From these curves it is patent that the key rate depends essentiahy on the choice 
of the parameter c. 

Let us compare the a, 13, Oext, /3ea:t-protocols on the key rates. 



Theorem 13 If the key length i is given and the rate Re of the error correction code satisfies 



Rc> n, then Rp > Ra, and Rp^^^ > R, 



■aext ■ 



Proof. The first inequahty is proved as theorem 10 in |22j . Let us prove the second inequahty. 
Let us write Ra^,^^ = ^q:^ and Rj^^^^ = y ,^,y . For a fixed common length, i = £', we should 
prove k[ + u + k'2 < ki + k2. 
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Figure 4: Dependence of key rate versus the parameter extractor c for the /3ext-protocol. 



Under the requirements \l\, \2\, m\ posed to the KDP parameters, Priski / *", it follows 



from (47) that (,' = (, whenever ki = k'^ and ri = r[. Therefore it is necessary just to prove 



k2 > u + ko. 



(60) 



According to the scheme of the AC code design we can write k2 = 2no = 2(ri + u + tq), where tq 
is the number of check symbols of the (no, A;o)-code. k2 = 2nQ = 2(ri + r'2 + t'q), where r'2 is the 
number of check symbols of the (n + rg, r2)-code C2, and Tq is the number of check symbols of the 
(riQ, A;Q)-code. 



By substituting the expressions for k2, kL presented above into (60), we get the equivalent 



inequality u — 2r'2 + 2ro — 2rQ > 0. In order to prove this inequality it is sufficient to show that 
u > 2r2 and tq > Tq. 

The first inequality holds because under the theorem's condition, Re > 2, foi' ^^e {u + r2,r2)- 
code. In order to prove the second inequality, we note that tq is the number of check symbols of the 
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information block of length k^ = u + ri and rg is the number of check symbols of the information 
block of length k'^ = ri + r'2. It is clear that k^ > fcg and it is followed from Varshamov-Gilbert 
inequality that — maintains a constant value as the information block length increases in order to 
get the required error correction capability. Therefore r^ > Tq and this completes the proof of the 
theorem. D 

With the purpose of comparing the protocols performance with hashing and with extraction, 
let us find the relation of key rate for sufficiently large i. 

Theorem 14 As the key length i — )• 00, then the following relations hold 



Ra 

Rp 



^aext ~ ^Pext 



H2{Pw) - gjPm 

3 + 2g{pm) 

H2{Pw) - gjPm 

2 + 4.g{p^) 

HpciPu,) - g{Pr, 

1 + 2g{pm) 



(61) 
(62) 
(63) 



Proof. The proofs of (61) and (62) were presented in [22]. In order to prove (63), let us write the 



relations of the key rates at the aext and /3exi-protocols taking into account (20), (52), (53), (54): 



Rn 



(. 



ki + 2no 



ki + ^2 



i 



ki + 2{ko + ro) 

e 

ki + 2u + 2ri + 2ro ' 



(64) 



Rr- 



ki + u-\- 2no 



ki +u + k2 



ki+u + 2{ko + ro) 



ki+u + 2u + 2ri + 2ro ' 



(65) 
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where u is the length of the extractor seed, ri is the length of the check string for the (ki + ri, ki)- 
code, r2 is the length of the check symbols string for the (u + r2, u)-code, and tq is the length of 
the check string for the AC-code. 



According to (13), r = kg{pm) for sufficiently large t (and hence sufficiently large k). Let us 



rewrite (64), (65) as 



^a^xt 



ki{l + 2g{pm)) + 2u + 2ro' 



^^^""^ {ki + u){l + 2g{pm)) + 2ro' 



(66) 
(67) 



According with (47), 



ic — 2 log Prisk + u + 3 lo; 



H^ 



g{pn 



2i 



+ 3 



(68) 



Substituting ki into (66) produces 



R. 



Hoo - g{Pm) 



CXext 



c(l + 2g{pm)) + 2{H^- g{pm)) (| + ^) 



(69) 



It is easy to show that 



u 



lim 



0. 



Also theorem 



to ( 47 ) and ( 52 ) we get lim^ 



establishes that lim 



£— s>oo 



ko+ro 



0, but since /co — ^ co as long as i ^ oo, according 






0. Now we can write (69), in the limit Ra^xt 



c(l+2g(p„)) ' 



which approaches to a maximum as c — )■ 1. This provides a proof of (63) for the Oext-protocol 



Similarly, by expressing Rfs^^^ as ( 67 ) using fci as in ( 68 ) , the used arguments in the proof of ( 63 ) 

D 



for the aea;t-pJ^otocol, show that (63) holds also for the /3ea;t-protocol. 



The following trivial corollary results from the above theorem. 



Corollary 1 // the channel parameters Pm and p^ are such that 



HooiPw) - giPm) ^ H2{pw) - g{Pn 



1 + 2g{pm) 



3 + 2g{pr, 



(70) 
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and 

2 (HooiPw) - g{Pm)) > H2{pw) - giPm), (71) 

then Ra^xt ^ ^a and Rp^^f > Rp respectively for sufficiently large i. 
Corollary 2 If Pm = 0, then Ra^^^ > Ra and Rp^^_^ > Rp. 



Proof, li Pm = 0, then the relations (70), (71) can be written as 



Hoo{Pw) > i:H2{pw) and Hoo{Pw) > -H2{pw)- 

Since 2Hoo{Pw) > H2{Pw) [T^, then i?^^^, > R^ and R/^^^^ > Rp- □ 

Let us exemphfy the above results and illustrate that the Raext (^) and Rp^^^ (^)-protocols major 
the Ra{() and -R^(^)-protocols respectively. Let us select the following natural requirements for the 
KDP: 

In figure [5] we plot the key rates Rk versus its length (. for both Raext (^) and Rp^xt (^)-pi"otocols 



with Pm = 0.01 and 0.001, Pw = 0.2, and the requirements presented in (72). 

The optimization of c has been performed for every value of L For comparison purposes the 
dependences Ra{^) and Rp{i) are shown also in the figure. 

The following conclusions are drawn immediately after an examination of the obtained depen- 
dence. 

The protocols using extractors have greater key rate than the a and /3-protocols under sufficiently 
large i and small pm ■ It is worth to note that if for the a and /3-protocols the asymptotically possible 



value key rate calculated by (61), (62) can be achieved even in the considered key length range, it 
is not true for the Oext and /3ext-protocols, demonstrating a noticeable increasing proliferation of 
the key rate outside this range. 

We can see that the Oext-protocol is superior than the a-protocol when £ > 5 ■ 10^ with pm = 
0.01 and the /^ext-protocol is superior than the /3-protocol when i > 3.5 • 10^ and pm = 0.001 
(under the stated requirements in our investigations). The key length for which the aext and Pext- 
protocols are superior than the a and /3-protocols essentially depends on the error probabilities in 
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Figure 5: The key rates versus their lengths for different requirements imposed to KDPs. 

the communication channels. 

The /3e^t-protocol is superior than the Oexi-protocol, although these protocols have the same 
asymptotic key rate. Hence, protocols with extractors are superior than the protocols with hashing, 
when -pm = 0. 



4 Key distribution protocols under the condition that legal users 
shared short authentication key before starting the KDP 

The cJ and /^'-protocols have been introduced in [22j, which differ from the a and /3-protocols in 
that legal users A and B have got a short key Sa = Sb of length i^ before starting the KDP. This 
key can be used for authentication of messages transmitted over public discussion channels in order 
to get finally the key of length H. » £q. 

In this section we consider some modification of the a' and /3'-protocols in which instead of hash 
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functions, extractors are used in order to generate the final key. We call these protocols the ag^^ 
and f3'g^^-protocols, respectively. 

ag^j^-protocol Let us suppose that the users A and B have binary strings X , Y respectively. 

1. The user A calculates the check string C^' of length r for the string X using an error correcting 
{k + r, A;)-code C that should be agreed between the legal users in advance. 

2. The user A generates a random binary string 7" of length u. 

3. The user A computes the authenticator w for the message (C^, 7") using a keyed hash function 
from the e-ASU2 class, and the key Sa- 

4. The user A sends to user B over a PDC the message (C^, 7") appending to it the authenticator 
w. 

5. The user B verifies the authenticity of (C^,7") using the algorithm presented in sectional If 
the authenticity of (C^,7") is confirmed, then B goes to the next step, otherwise he rejects 
it. 

6. The user B corrects errors in the string Y^ using the check string C^. (We denote by y^ the 
string Y after error correction). 

7. Both users A and B compute their keys as Ka = Ef.xtiX'^ .l""), Kb = Eext{Y^ .l"^)- 

/3g^j-protocol In a similar manner there is a modified /3-protocol where the random string 7" is 
not transmitted over the PDC but it is formed from the random sequences X , Y . 

The users A and B divide each of the strings X , Y obtained after execution of the initialization 
phase into two disjoint substrings X^^ , X2 ^ ; Y^ \ 1^2 ^ > respectively. Then they perform the following 
steps: 

1. The user A calculates the check string C[^ of length ri for the substring X^^ using an error 
correcting {ki + ri, A;i)-code Ci. 

2. The user A calculates the check string C^ of length r2 for the substring Xg^ using an error 
correcting {k2 + r2, fc2)-code C2. 
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3. The user A forms the authenticator w for the message (C[^, Cg^), using a keyed hash function 
from the class e-ASU2 and the key Sa with length £q. 

4. The user A sends to B the message (C[\ 6*2^) appended with the authenticator w. 

5. The user B verifies the authenticity of the message (C[^, 6*2^ ) using the authentication algo- 
rithm (see section^ and the key Sb- If authenticity is confirmed, then user B goes to the 
next step, otherwise he rejects the KDP. 

6. The user B corrects errors in the strings Y^^, 1^ ^ using the check strings C[^ and Cg^. (We 
denote by Y^ ^, 1^ ^ the strings Y^^, 1^ ^ after error correction.) 

7. The user A takes the string Xg^ as seed 7" and the user B takes the string Y^ ^ as seed 7". 

8. Both users A and B compute their keys as Ka = Eext{X^\x!^^), Kb = EextiY^\Y^^)- 
Let us estimate the key rate of these protocols. 

Theorem 15 Let us suppose that the users A, B and the adversary E have binary strings X , Y 
and Z^ , respectively after execution of the initialization phase over the wire-tape channel, pm = 
Pr (xj / yi), pw = min(Pr (xj 7^ zi) , Pr (yj / zi), pm > ^, Pw > Pm- We assume that the users A 
and B share initially a short key S of length Iq in order to authenticate messages transmitted over 
the PDC. 

Then A and B are able to form a common key of length £ satisfying the requirements IW-l^ 
after the execution of the a'^^^ and (3'^^^-protocols if the lengths ki, k2 of substrings X^ , Y^ and Z^ 
and Iq satisfy the equations listed below: 

loe: P"-'^'^ 

ki-Hoo = ic + n- log P,fj^ + u 

jadm \ ~^ 



+31og^ (^^) +3, (74) 



where Rc^ and E{Rc^) are calculated by (10)-(12) and 



for the a' .-t -protocol, 

(75) 

u for the j3'^^^-protocol, 
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and 



logki 



21 



Inc 



log/ci 



jadm 

~2f 



(76) 



is the number of the extractor random symbols, c is the parameter under optimization, 



i + 1 

a 
22» 



a{2 + i) 



S ^d 5 



(77) 
(78) 



where 

f 

T\^u for the a'^^^-protocol, 
^1 + ^2 for the P'^^^-protocol, 

and r2 being the number of check symbols of the error correcting (/c2 + ^2^ k2)-code C2 found similarly 



(79) 



as in eq's (73}-(74}- The key rate is then determined as: 



R„ 



£ 
max -— 
c ki 



R 



h'ext 



max 



c ki + k2 



(80) 



Proof. The relations (73), (74) and (76) can be proved similarly as (45), (46) and (47) in 



theorem 10 The relation ( 75 ) is apparent from the protocols description. In order to prove ( 77 ) , ( 78 ) 



we assume that for authentication of messages of length a (see relation (79)) an e-ASU2-hash 



function is used. Relying on (15) we write 2" = q'^\ 2^° = q^^"^, e = ^-^ 



. Let us put q 



then 



a = 2% , £0 = b{i + 2) , e 



i + 1 
2b ■ 



(81) 



Let us assume that the probability of false message deception is equal to e = P? . Then from (81 ) 



the relations (77), (78) are valid. The relation (80) follows from the protocols definition taking into 
account that the number of the extractor random bits can be optimized with respect to c. D 



By substituting (74) into (80) and using (13) we get that as £ — )• 00: 



R„ 



Rf- 



£ [gpo - g{prn)] 

Deni 

£ [gpo - g{pm)] 
Den2 



(82) 
(83) 
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ji'-protocol 



^ J3'^ -protocol 



Figure 6: Key rates versus its length for different KDP provided initially with short authentication 
keys. 



where 



Deni = £c- log Prisk + u + 3 log ^ 
Den2 = Deni + u. 



Tadm 



21 



+ 3, 



From (82), (83), we have i?„' > Ra' ■ When £ — )■ cxd both protocols have the same key rates 



R„ 



^PLt = Hoc- g{Pm)- 



(84) 



Let us compare the key rates of the a'^^^ and /3g^.(-protocols and the a' and /3'-protocols. In [22] 
the following relations have been proved: 



Ra' 



H2{Pw) - g{Pm) 



Rp' -^ \[H2{pw) - g{Pm)\ 



> as i: — )• oo. 



Comparing these relations with ( 84 ) we may conclude that Rai > Ra' = Ra' for any values p, 



and pm- Rp' can be either larger or smaller than R^i = R^i depending on the ratio of pw and 

Pm- 

In order to illustrate the above assertions we plot in figure [6] the dependence of the key rate 
versus its length for the a', /3', a'^^^ and /3g^,j-protocols, given p^ = 0.2, pm = 0.01 and J'*^™ = 10"^*^, 

padm padm padm in~5 

C d T'lSfv. 
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Table 1: Groups of hybrid protocols 


Protocol group 


Authentic ilKfiy gen- 
key gen- eration 
eration 


1 


(a, a'), {a, 13'), 
if3,a'),if3,f3') 


hashing 


hashing 


2 


ia,a'^^t), {a,f3'^^t), 
{(3,a',,,),{P,/3'ext) 


hashing 


extracting 


3 


{aext,a'), {aext,/3'), 

{I3ext,a'),{l3ext,l3') 


extracting 


hashing 


4 


{aext,a'ext)^ 
{oiext,P'ext)^ 
(/3ext,aext)> 
{Pext, (3'ext) 


extracting 


extracting 



5 Two-stage (hybrid) protocols with extractors 

We remember that the hybrid protocols \12\ I25j are combinations of protocol pairs (a, a'), (a,/3'), 
(/3,a'), (/3,/3') where the first protocol in each pair is used in order to generate a relatively short 
key S of length (.q required for hash function and check bits authentication, whereas the second 
protocol is used in order to form the final key K. 

The keys S and K can be obtained by execution of the privacy amplification procedure based 
either on the use of hash functions or extractors. This means that for every above mentioned hybrid 
protocol pair, there are four variants of hashing or extracting applications. In total, there can be 
formed 16 protocols, which in turn can be split into four groups as shown in table [T] 

The first group of protocols was investigated in [22], and there it has been proved that every 
such protocol can be the most efficient depending on the additional key requirements imposed to 
it. It is worth to note that even for large length I of the key K, the length £o of the authentication 
key occurs moderate P2] (p- 2543). If ^ = 32000 {pm = 0.01, py, = 0.2, P"'^'^ = 5 • IQ-^), then 
Iq = 678. But since, as shown in section |3j extractors are superior than hash functions only with 
large key lengths, their application is useless in the first stage of the hybrid protocols, where a short 
key is required. 

Therefore, the protocols from groups 3 and 4 have not been considered. It is sufficient to 
investigate protocols from the second group, where the authentication key is generated by hashing 
and the generation of the final keys is performed by extraction. Thus we consider the following 
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a) (a, a \J- protocol 

Initial string 





X3 , 


X2 






X, 








" 








a- protocol 








S 








a ' ^-(-protocol 





b) Off, «'<,,,t)- protocol 

Initial string 
X4 I X3 I X2 I Xf 



P- protocol 



T^ 



« ' ^-/-protocol 



J^ 



c) («,/?',J- protocol 

Initial string 
I X4 I X3 I X2 I Xj 



d) (l>-,P'eJ- protocol 

Initial string 
X5 I X4 I X3 I X2 I Xj 



a- protocol 
S 



/''tv/-protocol 



p- protocol 



''07 -protocol 



K 



T^ 



Figure 7: Different types of hybrid protocol with extractors. 

hybrid protocols: (a,ag^.^), (a,/3e^^), (/3,ag^.j), (/3,/3g^.^). For a more detailed description with the 
design of these protocols and the specification requirements of each protocol component, we refer 
to [22] (p. 2544). 

Let us give a short description of the (a, aej^^^)-protocol. It is based on the (a, a')-protocol 
proposed by Korzhik and Morales [23]. In this protocol, the sequences X^ , Y^ of users A and B 
are divided into three parts Xf\ X^", X^^ and Y^\ Y^^ , Y^'^ respectively (see figure [7[a). The 
subsequences X^^, Xg^, (Y^ \ ^2 ^) ^^^ used for the generation of the authentication keys Sa (Sb)- 
The subsequence Xg^ (^3 ^) and the key Sa {Sb) are used in the ag^.^-protocol for final Ka (Kb) 
key generation. The key rate of this protocol can be written as 



R 



i<-K.t) ki + k2 + h h + 



(85) 






where Ra = yTV ^^ ^^^ ^^^ ^ '■^^^ ^* ^^^ length £0 in the Q-protocol. 
Let us prove the following lemma. 

Lemma 2 The convergence -f ^ ^, as £ ^ cxd, holds in the (a, a'^^^) -protocol. 



Proof. Let us consider the (a, ag^j)-protocol. According to (79) the input block length of the 
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€-ASU2 hash function used in the aea;f-pi"otocol is equal to a = r^ + u. We show initially that 



rs + li — )■ oo as £ — )■ oo. The relations (76) and (11) give 



logfcs (^ 



2e 



-2 



Inc 
rs = il-Rc)k3. 



(86) 
(87) 



Thus in order to prove that ra + n — t- oo it is necessary to show that ^3 — )■ oo as ^ ^- oo. Taking 



into account equation (13), we can present (74) in the form 



£c-logP;.^™ + n + 31og 



2e 



+ 3 



HooiPw) - g{Pm) 



(88) 



From the above relation, it follows that /ca — )• 00 as £ — )• 00 and both (86), (87) result as rs — )• 00 



and u — )• 00. Then using (77) for an estimation of the hash function parameters, we may write 



lim — = lim — ^- = 0. 



Using ( 88 ) , the relation ( 85 ) can be expressed as 



D 



R, 



("."er^t) 



Hoojpnj) - gjPm) 

Den^ 



(89) 



where 



Den^ 



logP,t™ + « + 31og 

Hoo{Pw) - g{Pm) 



jadm \ 
"2FJ 



+ 3 



Rn 



Taking into account that Ra is constant and 



io 



(see Lemma 2^ we can see that the last 



term in the denominator Den^ of (89) approaches to zero as £ — )• 00. The other terms in the 



denominator Dens also approach to zero because they consist either of values approaching zero or 
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have a logarithmic dependence on i. 



Since the right side of (89) approaches a maximum, Rfa,a' ) approaches a maximum as c — )• 1, 



then the following asymptotic estimation holds for the key rate of the (a,ag^j)-protocol 

^(«,<,t) = HooiPw) - g{Pm), (90) 

^(Q,a^,t) = HociPw) as Pm -^ 0. (91) 

In the (/3, ag^j)-protocol (see figure uib) the sequences X^, Y'^ are divided into four parts ^^S 
X^\ X^^, Xl^ and Y^\ Y^\ Y^\ Y^\ respectively. The subsequences XfS X^^ X^^ and Y^\ 
1^2^, Yg ^ are used in the /3-protocol in order to generate the authentication key S of length £o- 
The subsequence X^* (1^ *) is used in the ag^-j-protocol for final keys Ka, Kb generation. One can 

write 

(. 

^^4 + 7?^ 
where Rp = ^ +k +k ^^ ^'^^ authentication key rate. 

By comparing this protocol with the previous one, we can conclude that for the same length d. 
of the final key, the equality k/^ = k^ should hold. As it was shown in [22J , Rjj > R^ and the length 
Iq of authentication key for the a-protocol is larger than the length io of the authentication key 

for the /3-protocol. Hence 

^o(a-pi'otocol) £o(/3-pi'otocol) 



Ra R 



'/3 



and R(i3,ai^^) > R{a,a'^,,)- 

It is easy to show that 



^{PK^t) ^ ^ooiPw) - g{Pm) as ^ -^ oo, (92) 



that coincides with the key rate of the (a, Qg2,j)-protocol, see (91). If pm = we get by (92) 

^(/3,<,,)=^oo(Pm). 

Next let us consider the (a, /3g^J-protocol (see figure [7[c) in which each sequence X^ , Y^ is 
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divided into four parts X^^ , ^2^, ^3^, X^^ and Y^ ^ , ¥2^ , Y^^ , Y^"^ , respectively. The subsequences 
X^^ , ^2^ and ^x ^' ^2 ^ ^^^ used in the a-protocol for the generation of the key Sa, or 5b for the 
/3g^j-protocol, while subsequences ^3^, X^"^ and Y^'^, Y^ * are used in the /3g^j-protocol for the final 
key Ka (Kb) generation assuming X^"^ and 1^ "^ as random "seeds" 7 * while using in extractor. 



Similarly to (85) we can write 



H"'^-) ks + u+-^ 



The parameter £q is smaller in this protocol than in the (a,ag^()-protocol, because only to au- 
thenticate the check sequences X^^ and X^* of total length ri + r2 there is used an e-ASU2 hash- 



function. However the additional item (u) calculated by (76) increases the denominator and hence 



In the (/3,/3g^.()-protocol, each sequence X'', Y^ is divided into five parts Xf^ X^^, X^^ , X^'^, 
Xl^ and Y^\ Y^\ Y^\ Y^* Kf% respectively (see figure Qd). The subsequences Xl\ X^\ X^'' 
and y^ \ 1^2 ^' ^3 ^ 3'^6 used in the /3-protocol to generate the keys Sa, Sb- The subsequences X^^, 
Xg^ and 1^4'' Y^^ are used in the /^g^j^-protocol to generate the keys Ka, Kb- Let us write 



"^^''^'-^^ - fclT^ 



Rp 



In this relation by the same reason mentioned during the analysis of the (a, /Sg^jJ-protocol, the 
value io will be smaller than in the (/3, ag2,^)-protocol and the rate Rp is larger. Therefore the third 
item is slightly decreasing. However the presence of sufficiently large item u results in a key rate 
decreasing giving the inequality R(i3^p> ) < ^{i3,a' )• 

There may be for the {a,(3'^^f), (/3, ag^^)-protocols some equivalent statement to Lemma [2| e.g. 
it can be proved that -# — )• as ^ — )• 00. Furthermore, by writing the relations for k^, k^ and u, 



from theorem 12 it is very simple to get asymptotically achievable the key rate for the (a,/3g^,j), 
(/5, aea;t)-protocols. 

-^(a,fet) = ^(/3,/3Lt) = HociPw) - 9{Pm)- (93) 



Comparing (90), (92) and (93) we can see that asymptotically all hybrid protocols have the same 
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Figure 8: The key rates for hybrid protocol. 



key rates, however the (/3, ag^jj-protocol has non-asymptotically the largest key rate among all 
above considered hybrid protocols. 

It is worth to compare this protocol with the (^, a')-protocol, that (as shown in [22]) has 
maximum possible key rate for sufficiently large i among all hybrid protocols using hash functions 
in the privacy amplification procedure. 

For the (/3, a')-protocol one can write |22j 



R 



il3,a') 



H2{Pm) - g{Pn 



(94) 



By comparing (92) with (94) and taking into account that H2{pm) ^ -ffoo(Pm) we can see that for 



larger, %,„,^j>%,,/^j. 

From this inequality, it follows that an implementation of extractors for large key length in 
hybrid protocols are inefficient. 

In figure |8] there are plotted the key rates versus its length for hybrid protocols under the 



-30 padm lyadm padm 



conditions pm = 0.01, p^j = 0.2, J'^'*™ = lO^'^^ P^'^"' = Pf"" = Pf""" = 10"°. 

The curves R{i) were plotted with the use of the technique proposed in p2]. They clearly 
demonstrate a behavior of the key rate depending on the key length for different protocols. We can 
see that the (a, a') and (/3, a')-protocols have the greatest key rates among all hybrid protocols. The 
(a,/?'), {(3,(3'), {a,a'^^^), and (/3, Og^J-protocols have approximately equal key rates for large key 
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length and the {a,l3'^^^) and (/3, /3g^J-protocols have the least key rate among the above considered 
hybrid protocols. 

6 Conclusions 

In the current paper, an investigation of key distribution protocols based on noisy channels started 
in [22] has been continued with such a difference that extractors are used instead of hash- functions in 
the privacy amplification procedure. The main goal was to prove extractor-based protocols efficiency 
by the criterion of key rate maximization. The relations are non-asymptotic and constructive 
because they do not include some uncertain coefficients in notations, in contrast with other papers. 

We use the modified Trevisan's extractor [301 ES] in our paper. It has been proposed new P^xt 
and /3g^j-protocols which differ from those known before [T^ because the extractor's seed is not 
transmitted over the PDC but, instead, it is generated from random sequences obtained by legal 
user after the execution of the initialization phase. We proved that the use of extractors in the 
aext and /3exi-protocols increases the rate, in comparison with hashing-based protocols only for very 
large key length i (typically i £ [10^, 10^]) and for some specified values of the error probabilities 
both in the main and in the wire-tap channels. 

It was investigated a performance evaluation of the so called extractor-based hybrid protocols, 
consisting of two protocols executed in a serial manner where the first protocol in a pair is used for 
the generation of a relatively short key S of length Iq. This key is necessary for authentication of 
check bits, and a random number (seed) of extractor. The second protocol is used for the final key 
generation. We prove that extractor based protocols should be used only in the second protocol of 
the pair. 

We selected four hybrid protocols for further investigation (a,ag^^), (/3,ag^j), (a,/3gj.J and 
(/3,/3g^.j)-protocols. The relations for their key rates have been derived for both finite and asymp- 
totically growing key lengths. The greatest key rate is got for the (/3, Qg^j)-protocol. This protocol 
was compared with the (/3, a')-protocol considered in |22j, which has the greatest key rate among 
all hybrid hashing-based protocols. The investigations showed that hybrid protocols with the use 
of extractor-based second stage protocols are less efficient than hashing-based protocol. 
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We investigated also (but not in a deeper detail) other variants of extractors from [29]. Even with 
some improvement of their characteristics (in the sense of the seed length) , the general conclusion 
is kept the same: the use of extractors is justified only with very large key length. 

We get also asymptotic estimates for the key rates of all proposed protocols that allows to 
compare the potential efficiency of all considered early protocols. These relations are presented 
in table [2} We can see that asymptotically all hybrid protocols have the same key rates equal to 
Hoo{Pw) — giPm), that is larger than the key rates for single Oext and /^ea't-protocols that is equal 

4-„ Ho^{p^)-g{pra) 

^° l+2g(p„) • 

These relations are similar "on structure" to relations for key capacity g{pw) — g{Pm), P^, but 
differ from the last one in changing of Shannon's entropy g{pw) to min entropy Hao{pw)- 

If the main channel is noiseless then all protocols using extractors have the same asymptotic key 
rates equal to Hoo{pw)- It is worth to note that asymptotically all hybrid extractor-based protocols 
are inferior to hash-based protocols. But this conclusion may be considered as a consequence of 
crude estimate of information leaking to eavesdropper based on the use of min entropy. 

We summarize the key rates for different KDP in table [2] It can be seen from this table how 
closer or farther are the key rates to the secret key capacity given by n. 
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Table 2: Key rates for different KDP 



Protocol type 
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